Security reporting

Supervisory control and data acquisition (SCADA) networks contain computers and applications that perform key functions in providing essential services and commodities (e.g., electricity, natural gas, gasoline, water, waste treatment, transportation). As such, they are part of the nation’s critical infrastructure and require protection from a variety of threats that exist in cyber space today. SCADA networks were initially designed to maximize functionality, with little attention paid to security. As a re sult, performance, reliability, flexibility and safety of distributed control/SCADA systems are robust, while the security of these systems is often weak. This makes some SCADA networks potentially vulnerable to disruption of service, process redirection, or manipulation of operational data that could result in public safety concerns and/or serious disruptions to the nation’s critical infrastructure. Cyber attacks or even worse, insider attacks on SCADA systems in energy production and distribution system s could endanger public health and safety as well as invoke serious environmental damage. The introduction of enterprise integration strategies coupled with lack of IT security knowledge has left process control systems vulnerable. The objective is to ide ntify steps companies can take to reduce IT vulnerability in process control systems and create an effective information security strategy and to become more reliant and robust. The research questions is: Is it possible to set up a security metrics Balanc ed Scorecard for security reporting to “continuously” validate the security level? Regarding to electrical infrastructure the aim of this thesis is in contribution to “Beredskapsforskriften” to describe a model or prototype of scorecard for security metri cs in a SCADA network. The intention is though to create at toolkit of security metrics yielded an appropriate for information security risk management in various types of critical infrastructure.